CA SSO 12.7 is out and includes OpenID Connect Authorization code flow out of the box! This extends the numerous SSO access tokens and architectures already supported by the product.
Attached is a runbook I created based on lab experience setting up agent less SSO using JWT tokens using opensource Apache module mod_auth_openidc.
There are numerous options within the OIDC spec so I am just beginning to touch some of the use cases. This document will be updated as I adventure more.
Food for thought: Apache within Docker containers no longer require the need to install / register web agents to protect web resources to receive an SSO access token. SMSESSION cookie is still generated and can be used for web access management use cases where PEPs / agents are still required.
CA SSO (formerly SiteMinder) certified - http://openid.net/certification/